This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Excessive LLMNR packets from one workstation

0

We have one workstation which sends out 40 LLMNR packets every 30 seconds (marked "Standard query A") It's been checked every way possible for malware and rootkits, I feel pretty confident that it's clean. But what gives? None of the other machines on our network broadcast anywhere near this much. Or am I obsessing over nothing?

-Roger

asked 11 Oct '12, 11:36

Shrubber's gravatar image

Shrubber
1111
accept rate: 0%

You mean LLMNR query? If so, does the workstation get a response?

(12 Oct '12, 01:42) rakki

Yes, Standard query A, The workstation being queried is online, but I haven't seen any responses. Both systems are working Windows 7 pro workstations. There are files being shared, which works fine regardless. Thinking of turning off LLMNR completely on both workstations..

(12 Oct '12, 05:55) Shrubber

At some point i had these LLMNR 10-random-character multicasts flooding the network with a rate of 30 packets per second, all coming from one workstation.

(21 Mar '13, 03:44) Joop

2 Answers:

0

Please take a look at the following question and my answer

http://ask.wireshark.org/questions/12840/weird-nbns-queries

Those queries could well be generated by a feature of the chrome browser. It does random name lookups for some purpose.

What do the LLMNR queries look like in your network? Are they for random names? If so, please check if Chrome is running on that system. If so, close the browser and the check if the LLMNR queries stop.

If the name queries are not random (and Chrome is not used), can you please post a sample capture of the queries somewhere (cloudshark.org)?

Regards
Kurt

answered 13 Oct '12, 01:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

Random name lookups(DNS/NBNS/LLMNR) related to Chrome can occur when using a proxy auto-config script on your network. Changing the proxy settings to disable automatic configuration is one way to test/workaround that behavior.

Chrome does random, 10 character name lookups on startup in an effort to prevent nefarious activities of some ISP's. However, if the PAC script has an error Chrome will re-rerun it... repeatedly. Subsequently any name lookups in the script would be called until Chrome is shutdown.

The fix is already in the first release channel. A few random lookups during the first page load are normal though. https://tools.google.com/dlpage/chromesxs

-Todd

answered 15 Nov '12, 12:51

Tenu1000's gravatar image

Tenu1000
1
accept rate: 0%